Improving Cybersecurity for Small and Medium-Sized Businesses

One of the Department of Homeland Security’s priorities in cybersecurity is supporting small and medium-sized businesses. Like their larger counterparts, small and medium businesses frequently house sensitive personal data, and proprietary and financial information. And they are increasingly becoming targets for cyber criminals who recognize that smaller businesses may be easier to penetrate as they may lack the institutional knowledge and resources that larger companies have to protect their information.

DHS and our federal partners have dedicated significant resources to helping small and medium businesses improve their cybersecurity. Earlier this year, we put out a request for information to help us assist small and medium businesses adopt the NIST Cybersecurity Framework, a set of voluntary standards, guidelines, and practices. The Framework and the Department’s C3 Voluntary Program are designed to move cybersecurity from an afterthought in the IT budget of many businesses to an investment in risk mitigation based on potential consequences. Cybersecurity should be a discussion in every boardroom, independent of company size. By working together with the private sector, we can drive markets and innovation through economies of scale to deliver the best cybersecurity to all of our companies and citizens.

We have also worked with the Federal Communications Commission and others to develop a Small Biz Cyber Planner, a tool for businesses to create custom cybersecurity plans. The planner includes information on cyber insurance, advanced spyware, and how to install protective software. In addition, the Cybersecurity for Small Business training course, offered by the U.S. Small Business Administration, covers the basics of cybersecurity and information security, including the kind of information that needs to be protected, common cyber threats, and cybersecurity best practices.

The private sector provides various tools and resources for small and medium business owners as well. Internet Essentials for Business 2.0 is a guide for business owners, managers, and employees developed by the U.S. Chamber of Commerce. The guide focuses on identifying common online risks, best practices for securing networks and information, and what to do when a cyber incident occurs. The DHS Stop.Think.Connect.TM campaign recently added the National Association of Women Business Owners (NAWBO) as a partner to help us raise awareness amongst business owners about the importance of cybersecurity.

Every company is at risk. We must all budget and plan for the ability to keep operations running while we recover from an attack or attack attempt. The cyber adversaries are everywhere, and they prey on the uninformed and the complacent. If you are a business owner, we encourage you to take a few simple steps to improve your company’s cybersecurity. These include:

Use and regularly update anti-virus and anti-spyware software on all computers; automate patch deployments across your organization to protect against vulnerabilities.

Establish security practices and policies to protect sensitive information; educate employees about cyber threats and how to protect your organization’s data and hold them accountable to the Internet security policies and procedures.

Require that employees use strong passwords and regularly change them.

Invest in data loss prevention software for your network and use encryption technologies to protect data in transit.

Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

Consider cybersecurity as part of your overall corporate risk, and govern cybersecurity with a policy that comes from the Boardroom – and is part of your culture.

Think about new and innovative ways to enhance cybersecurity and drive your business while you protect it.